This is really hot matter, in all senses. Before reading HOW to "automatically generate fine-grained policy rules from intuitive high-level security requirements and system models", please, briefly answer following questions: 1) does the "model-driven security" have a standardized mechanism for validating "intuitive high-level security requirements" (to protect from a fool)? 2) does the "model-driven security" have a standardized mechanism for validating generated fine-grained policy rules against compatibility and compliance with other rules (a new rule may open a back-door which is supposed to be locked by another, existing rule)? Is this mechanism, if exists, automated? 3) what the role of "system models" in this generation? That is, do the generated rules adopt to what exists or to what should exist and be protected?
4) why it is "model-driven security" rather than "security-driven model" ? - Michael ________________________________ From: ul201 <[email protected]> To: [email protected] Sent: Monday, January 5, 2009 5:27:03 PM Subject: [service-orientated-architecture] Re: policy-driven security Hi! I just came across this thread and thought I'd add my 2 cents about XACML etc. for SOA. I agree with most of what was said so far. There is one aspect that is rapidly emerging to solve some of the policy management challenges, in particular the unmanageability and "update hell" related to fine-grained (e.g. XACML) policies in agile SOA environments. This technology approach is called "model-driven security", and the basic idea is to auomatically generate fine-grained policy rules from intuitive high-level security requirements and system models (e.g. BPM workflows or UMLs). This way, you only have to manage the intuitive requirements, and also you do not have to update everything every time the system configuration changes (it can do that a lot in SOA!). You can read up on this at www.modeldrivensecu rity.org, and find some demo videos at www.openpmf. com. This is one of the missing parts of an overall policy management architecture (XACML is another potential part of the solution). It is also related to the PAL language discussion earlier. Regards, Ulrich
